Google Assistant Bug Worth $3133.7 !

You may well be aware of Google Assistant . This is a writeup of reflected XSS which I found in console.actions.google.com .

My college Prof. asked me to conduct some useful workshop for students. After a quick search, I figured out on the workshop as “Making apps using Google Assistant”. The documentation provided was very easy to follow and so it would have been easily grasped by learners. So I was making a test app using Assistant Web Console.

I was very lucky to find the XSS as just after one week, Google started to extensively market Assistant via major youtube channels. :P

I will directly go the bug i.e XSS.

There were many options and inputs like App name, link ,description etc.

New Assistant Console|XSS was in Old

I started saving some payloads on each field. I soon realized that no tags were filtered <> etc. But the XSS never popped. :(

After some time, I used data uri and base 64 encoding to create XSS . Clicking on the link got XSS.

Learn bug bounty hunting and other hacking tips from bug…

Wannabe Security JCB | BTech CSE Student from India

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!

Wannabe Security JCB | BTech CSE Student from India

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!